Message from the Privacy Commissioner, Timothy Pilgrim

Privacy issues featured prominently in public debate during the year just passed. Unfortunately, much of this resulted from incidents in which peoples' personal information was comprised, often on a large scale.

The increasing level of community awareness and concern about privacy, shown particularly through the prism of the media, challenges the often stated concept that in a rapidly changing technological environment the concept of privacy is 'dead' and we should ‘just get over it'.

Contrary to this view, I believe that peoples' sensitivities about the handling of their personal information are being heightened as they transact more online. I also believe that people are increasingly aware of the potential for their personal information to be amalgamated and used in ways they don't expect. We have seen this concern in the debate around changes to the privacy policies of large online companies such as Google and Facebook.

While it is good to see organisations participating in public and robust debate on their approach to the handling of personal information, it is also incumbent upon them to actively take on board, wherever possible, the issues raised by their customers and, in situations where they decide not to, to explain why.

In the absence of such explanations privacy regulators will often need to seek such answers.

In terms of community expectations there also needs to be recognition that many of these organisations are providing services such as search engines and platforms to facilitate social interaction. These are often taken for granted by the community but they do come at a cost for the organisation providing them. In many cases the way of recovering that cost is through selling advertising opportunities to third party companies. There is an inherent tension between this business model and the requirement to give individuals the ability to control, to the greatest extent possible, what happens to their personal information. In that regard the onus is on organisations to give people the ability to make fully informed choices about whether or not they want to transact with the organisation or accept a particular service. This tension will continue to challenge the traditional concepts of the regulation of the handling of personal information into the future.

Developments overseas also focused the community's attention on privacy, particularly the concept of ‘the right to be let alone'. This focus resulted from the allegations made in the United Kingdom against News of the World that it had systematically invaded peoples' privacy through illegal phone tapping. At the same time regulation of the media in Australia is being reviewed and a discussion paper on whether there should be a statutory cause of action for a breach of privacy was released by the Government.

It is in this environment that the OAIC has seen an increase of 11% in the number of privacy complaints being lodged. While this means there have been more complaints about poor privacy practice, this increase demonstrates that people are aware of their rights in this area and are increasingly prepared to exercise or enquire about them.

Of particular note is that in the previous financial year I opened 59 own motion investigations (OMIs) and received 56 voluntary data breach notifications (DBNs). However, by comparison, in the current year I opened 37 OMIs and received 46 voluntary data breach notifications.

While it is difficult to determine the reason for the reduction in numbers in these areas, media reports have quoted security specialists suggesting there were significantly more breaches occurring in Australia than were being reported to the OAIC. This is concerning as voluntary data breach reporting can play an important role in assisting individuals who are at risk as the result of a breach to take steps to protect their information. It also allows organisations to demonstrate that they are open about their information handling practices, helping to maintain the trust of their customers.

We take the view that if an organisation voluntarily notifies the OAIC of a breach and at the same time demonstrates that it is taking all reasonable steps to remedy the situation, we are likely to hold off formally investigating them while they deal with the issue. To support organisations and agencies in this, the OAIC released a revised draft of its voluntary data breach notification guidelines during Privacy Awareness Week 2012.

The year also culminated with the introduction into Parliament of a Bill to reform the Privacy Act 1988 in three key areas. The Bill includes a new set of Australian Privacy Principles, new credit information provisions and additional enforcement powers. In particular, the proposal to provide the Commissioners with additional powers to resolve privacy breaches through new enforceable remedies reflects the community expectations that their personal information is important and should be respected and protected. I look forward to the Parliament considering those reforms in the coming year.